Scribd Logo
Upload

Welcome to Scribd!

  • CISSP Notes PDF

    Uploaded by

    Alvin Zeto
    7 views89 pages

    Original Title

    CISSP Notes.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    7 views89 pages

    CISSP Notes PDF

    Uploaded by

    Alvin Zeto

    Copyright:

    © All Rights Reserved
    Download as PDF or read online from Scribd
    Flag for inappropriate content
    of 89
    CISSP Notes CIA Triad + Confidentiality ‘© Resources should be protected from unauthorized access © Prioritized by governments Concepts + Sensitivity + How harmful is disclosure * Discretion = Controlled disclosure to prevent damage + Criticality + How essential the information is to the organisation + Concealment + Hiding information (c.g. obfuscation) + Secrecy + Keeping something a secret «Privacy + Keeping personal information secret + Seclusion + Storing data in out-of-the-way locations + Isolation = Keeping data separate + Integrity ‘© Resources should be protected from unauthorized modification © Resources should maintain semantic consistency + Availability ‘© Resource should be accessible to authorized parties © Prioritized by businesses AAA + Required to hold a subject accountable for actions + Identification ‘© Subject identifies themselves + Authentication ‘© Subject proves their identity + Authorization ‘© Subject is allowed disallowed to perform an action © What can the subject do and not do? + Auditing ‘© Subject’ actions are logged + Accounting © Subject’ logs are reviewed for violations Subject is held accountable for their actions ‘Legally Defensible Security +” Requited to hold subjects accountable + You need to prove + Efforts were made to prevent the crime + Log files are accurate + All laws and regulations were followed + Waming and notifications were posted * Electronic e © Non-repudiation + Subjects cannot deny performing an action ° nce is de ve Protection Mechanism * Layering/Defense-in-Depth ‘© Use of multiple controls ina series © Uses series vs. parallel + Series = Useful for security + Data passes through multiple filters + Airport with multiple gates + Parallel + Useful for performance = Data can pass any filter + Mall with multiple entrances + Abstraction © Generalizes a group of objects and subject ‘© Defines object and subject templates © E.g. "Employee" can be used to describe "Linda", "Mark", etc + Data Hiding ‘© Places data in location not seen by subject © Prevents data from being accessed by unauthorized subjects + Encryption © Hides intent of data rather than hiding the data itself © Makes data unreadable to unauthorized subjects Security Governance * Administration of an organization's security program + Business Case © Justifies starting a new project + Approaches © Top-down «Upper management makes security policies + Lower professionals flesh out security policies © Bottom-up + IT staff makes security decisions + Problematic + Autonomous InfoSec Team © Led by the CSO © Reports directly to senior management «Security Policy ‘© Requires support of senior management to succeed © Evidence of due care and due diligence Security Management Plans © Strategic Plan Long-term plan © Defines security purpose of organization ©. Lifetime: 5 years + Tactical Plan © Mid-term plan o Contains TASKS to achieve Strategic Plan co Examples + Project plans + Acquisition plans + Hiring plans + Budget plans © Lifetime: 1 year + Operation Plan © Short-term plan © Contains STEPS to achieve Tactical Plan © Examples + Training plans + System deployment plans + Product design plans © Lifetime: 1 month/1 quarter Change Management + Changes can lead to security issues + Purpose ‘© Prevents compromise after change + Goals ‘© Monitor change co Test change © Allow rollback of change © Inform users of change Analyze effects of change Minimize negative impact of change Allow review of change by Change Approval Board (CAB) Data Classification + Identify which data need to be prioritized for protection + Identify which controls is needed for which data + Benefits Demonstrates commitment to protection of data Identifies critical assets, Justifies selection of controls Required for regulations Defines proper access, declassification, and destruction method Helps with data life-cycle management Classification Criterias Usefulness Timeliness Value Age Lifetime Relationship with subjects Sensitivity Criticality National Security Implications Storage method Ownership Implementing Classification oo000 Identify custodian Determine evaluation criteria Classify resources Determine exceptions Determine security controls Determine declassification procedure Staff awareness/training * Classification Schemes Government/Military + Classified + Top Secret + Secret + Confidential + Unclassified + Sensitive + Unclassified Private/Business + Confidential/Private + Confidential/Proprictary: Related to business + Private: Related to personnel + Sensitive + Public Security Roles and Responsibilities * Roles and Responsibilities co Senior Manager + Signs off on policy issues + Liable for security solution co Security Professional + Designs and implements security solutions co Data Owner * Classifies data © Data Custodian + Implements controls to protect data + Protects data based on classification User + Accesses the system * Complies with security policies © Auditor + Checks for compliance to security poliey + Checks effectiveness of security policy + Training vs Education © Training + So users can comply with security policies co Education + Users lean more than what they need to know Control Frameworks + For planning IT security of an organization + Control Objectives for Information and Related Technology (COBIT) © ByISACA © Principles + Meeting Stakeholder Needs + Covering the Enterprise End-to-End + Applying a Single Integrated Framework + Enabling a Holistic Approach + Separating Governance from Management Due Care and Due Diligence © Due Care Required effort to protect data Compliance to legal regulations Legal duty of company Failure will result in negligence + Due Diligence © Maintaining due care ‘© Continuous improvement of security ‘© Penetration tests, vulnerability assessments, etc. ‘© Operational Security © Ongoing maintenance of due care and due diligence Components of Security Policies + Should be kept as separate dcuments © Only changed materials need to be redistributed © Notall users are concerned with all documents, + Security Policy © Generalization of security needs, goals, and practices Broad overview of security Strategic plan Proof of due care Compulsory ilities must be roles-based, not individual-based 000000 * Organizational + Issue-specific * Network Service + Department + System-specific © Categories + Regulatory + Required by law + Advisory + Required by senior management + Acceptable Use Policy Assigns security roles «Assigns responsibilities to roles Contains expected behaviour + Informative + Not required = Provides background information to issues «Standard ‘© Describes uniform implementation of technology © Tactical documents + Baselines o Dest eS a secure state for a sys © System-specific + Guideline ‘© Recommendations and suggested actions for compliance © Describes controls rather than products © Not compulsory + Procedure ‘© Step-by-step instruction on how to implement a security control ‘© Specific to a system or product co Ensures compliance to standard Threat Modeling + Approaches Proactive + Performed before and while the system is being implemented + Predicting threats and designing defenses in advance + More cost effective and more successful + Security Development Lifecycle + Reduce number of coding defects + Reduce severity of remaining defects co Reactive + Performed after the system has been implemented + Less effective but more cost effective than redesign + E.g. penetration testing, source code review, fuzz testing «Fuzz Testing + Random invalid input is fed to a program = Attempts to find previously undetected flaws + Steps ‘© Threat Identification + Approaches + Focused on Assets + Protect valuable assets + Focused on Attackers + Protect the things that attackers want to attack + Focused on Software «Protect the software * Individual Threats * Be cautious of + Contractors + Trusted Partners © Threat Categorization + STRIDE + Spoofing + Falsifying information to gain access = Tampering + Making unauthorized changes + Repudiation Denying having done an action + Information Disclosure + Revelation of controlled information + Denial-of-Service + Prevents the use of an asset + Escalation of Privilege + Elevates capability of under privileged account © Determining Potential Attacks + Data Flow Diagrams + Ent = Technologies = Transactions * Attacks vs each element Reduction Analysis + Decomposing system/process/environment + Modules + Functions + Protocols + ete «Identify the Following + Trust Boundaries + Data Flow Paths + Input Points «Privileged Operations = Security Approach © Prioritization and Response + Probability x Damage Potential + High/Medium/Low + DREAD + Discoverability + Reproducibility = Exploitability + Affected Users + Damage Potential Acquisition Security + Select software with integrated security + Evaluate 3rd party service provider ‘© On-Site Assessment + Observe their operating habits © Document Exchange and Review + Investigate data exchange process © Process/Policy Review + Review their security p. + Review Service Level Agreements Personnel Security + People ‘© Weakest link in security chain + Hiring Process © Job Description = Concepts + Separation of Duties + Least Privilege = Job Responsibilities * Job Rotation = Cross-training + Maintain throughout organization lifecycle © Job Classification © Employee Screening + Background checks, ete © Hiring and Training « Non-disclosure Agreement * Non-compete Agreement © Termination + Notify employee + Request return of company equipment * Disable electronic access + Exit interview and NDA review + Escort off premises Separation of Duties © Work tasks divided among administrators © Applies to administrators instead of users © Prevents collusion + Least Privilege ‘© Users should only have privileges that they require © Applies to users instead of admins + Job Responsibilities © Work tasks that an employee is required to perform © Defines required objects, resources, and services + Job Rotation © Provides knowledge redundancy © Less downtime ‘© Reduces risk of fraud via peer auditing © Protects against collusion + Crossetraining ‘© Alternative to job rotation ‘co Employees are trained for other jobs ‘© Workers are not rotated through different job = Collusion When peole work together to commit a crime + Non-disclosure Agreement (NDA) Protects confidential information within an organization + Non-compete Agreement (NCA) Prevents employees from jumping to a competitor Has time limit Allows company to keep competitive edge Difficult to enforce Deters violation of NDA + Mandatory Vacations + Termination Best Pra 0000000 Used to audit employees es Have one witness Escort off premises Escort required when in work area Return employee identification and equipment Disable network user account at same time of termination Notify HR to issue final paychecks Inform security personnel of termination Terminate at end of shift in middle of week Perform exit interview + Exit Interview Review liabilities and restrictions Review NDA and other agreements + Third-party Controls Service Level Agreements + Defines expected level of service from third-party + Putin place for network connections and services + Includes remedies if not met + Common SLA Issues + System uptime * Maximum consecutive downtime + Peak load + Average load + Responsibility for diagnostics + Failover time + Compliance Adherance to regulations Employees need to follow polcies, etc. © Privacy. Secrecy of personal information Prevention of unauthorized access to PII Freedom from being monitored without knownledge For employees, site visitors, customers, suppliers, and contractors Personally Identifiable Information © Information that can be traced back to a person © Includes + Phone + Email + Address + SSN + Name © Excludes + MAC Address + IP Address + OS Type Security Governance Directing the security efforts of an organization ‘Third-party Governance ‘© Employment of external auditors + External auditors review your security © Compliance of external providers + Providers must comply with your security policies + Documentation Review + On-site assessments + Documentation review ‘© Exchanging materials co Reading and verifying them against expectations © Required before preforming on-site assessments + On-site assessments ©. First hand exposure to security mechanisms © Auditors should follow COBIT + Authorization to Operate (ATO) © For government contractos ‘© Required when complying with government security policies Risk Management + Risk © Possibility that assets could be damaged or disclosed + Risk Management ‘© Actions to reduce risk to an acceptable level © Steps + Risk Analysis + Identify + Evaluate + Countermeasures + Risk Responses + Mitigate + Using countermeasures to reduce risk + Transfer + Transferring risk to another organization + Purchashing insurance + Outsourcing business processes = Accept + When countermeasure costs more than risk cost © Organization absorbs risk cost + Signed off by management + Reject * Ignoring the existence of the risk + Not prudent due-care responses to + Countermeasure Selection and Implementation + Rules + Countermeasure Cost < Asset Value * Countermeasure Cost < Countermeasure Benefit + Benefit of Attack

    You might also like